#!/bin/sh
# shellcheck shell=dash disable=SC2169,SC3001,SC3010 source=/dev/null
#
# Starts lighttpd.
#

[[ -r /var/hm_mode ]] && . /var/hm_mode

PIDFILE=/var/run/lighttpd.pid
PIDFILE_ANGEL=/var/run/lighttpd-angel.pid

# skip this startup if not in normal mode
[[ "${HM_MODE}" != "NORMAL" ]] && exit 0

check_certificate() {
  # check if a valid/non-expired SSL cert exists and if
  # not we regenerate it.
  if ! /usr/bin/openssl x509 -checkend 86400 -noout -in /etc/config/server.pem 2>/dev/null >/dev/null; then
    [[ -f /etc/config/server.pem ]] && mv -f /etc/config/server.pem "/etc/config/server.pem_$(date +%Y%m%d)"
    echo -n "creating new SSL cert... "
    IP=$(ip -4 route get 1 | head -1 | cut -d' ' -f8 | tr -d '\n')
    /usr/bin/openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) \
                                           -keyout /etc/config/server.pem \
                                           -out /etc/config/server.pem \
                                           -days 3650 \
                                           -addext "subjectAltName = DNS:$(hostname),IP:${IP}" \
                                           -addext "keyUsage = keyCertSign,digitalSignature,keyEncipherment" \
                                           -addext "extendedKeyUsage = serverAuth" \
                                           -addext "nsCertType = server,sslCA" \
                                           -subj "/C=DE/O=HomeMatic/OU=$(cat /var/board_serial)/CN=$(hostname)" 2>/dev/null >/dev/null
  fi
}

start() {
  echo -n "Starting lighttpd: "

  # check if a valid/non-expired SSL cert exists and if
  # not we regenerate it.
  check_certificate

  # activate/deactivate service interface authentication
  if [[ -f /etc/config/authEnabled ]] && [[ -f /etc/lighttpd/conf.d/auth.conf ]]; then
    echo "include \"/etc/lighttpd/conf.d/auth.conf\"" >/var/etc/lighttpd_auth.conf
  else
    echo "" >/var/etc/lighttpd_auth.conf
  fi

  # activate/deactivate automatic https redirect
  if [[ -f /etc/config/httpsRedirectEnabled ]]; then
    echo "include \"/etc/lighttpd/conf.d/httpsredirect.conf\"" >/var/etc/lighttpd_httpsredirect.conf
  else
    echo "" >/var/etc/lighttpd_httpsredirect.conf
  fi

  # activate/deactivate RemoteAPI ports
  if [[ -f /var/status/startupFinished ]]; then
    echo "include \"/etc/lighttpd/conf.d/webui_remoteapi.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
  else
    echo "include \"/etc/lighttpd/conf.d/webui_remoteapi_notready.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
  fi

  # adjust the oom score (which is inherited by start-stop-daemon)
  # to ensure that others are killed first in case of low memory situations
  echo -900 >/proc/$$/oom_score_adj 2>/dev/null

  if start-stop-daemon -S -q -b -m -p ${PIDFILE_ANGEL} --exec /usr/sbin/lighttpd-angel -- -f /etc/lighttpd/lighttpd.conf -D; then
    echo "OK"
  else
    echo "ERROR"
  fi
}
stop() {
  echo -n "Stopping lighttpd: "
  start-stop-daemon -K -q -p ${PIDFILE_ANGEL}
  rm -f ${PIDFILE_ANGEL}
  [[ ! -f ${PIDFILE} ]] && echo "OK" || echo "ERROR"
}
restart() {
  stop
  start
}
reload() {
  echo -n "Reloading lighttpd: "

  # check if a valid/non-expired SSL cert exists and if
  # not we regenerate it.
  check_certificate

  # activate/deactivate service interface authentication
  if [[ -f /etc/config/authEnabled ]] && [[ -f /etc/lighttpd/conf.d/auth.conf ]]; then
    echo "include \"/etc/lighttpd/conf.d/auth.conf\"" >/var/etc/lighttpd_auth.conf
  else
    echo "" >/var/etc/lighttpd_auth.conf
  fi

  # activate/deactivate automatic https redirect
  if [[ -f /etc/config/httpsRedirectEnabled ]]; then
    echo "include \"/etc/lighttpd/conf.d/httpsredirect.conf\"" >/var/etc/lighttpd_httpsredirect.conf
  else
    echo "" >/var/etc/lighttpd_httpsredirect.conf
  fi

  # activate/deactivate RemoteAPI ports
  if [[ -f /var/status/startupFinished ]]; then
    echo "include \"/etc/lighttpd/conf.d/webui_remoteapi.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
  else
    echo "include \"/etc/lighttpd/conf.d/webui_remoteapi_notready.conf\"" >/var/etc/lighttpd_webui_remoteapi.conf
  fi

  start-stop-daemon -K -s USR1 -q -p ${PIDFILE_ANGEL}
  [[ -f ${PIDFILE} ]] && echo "OK" || echo "ERROR"
}

case "$1" in
  start)
    start
  ;;
  stop)
    stop
  ;;
  restart)
    restart
  ;;
  reload)
    reload
  ;;
  *)
    echo "Usage: $0 {start|stop|restart|reload}"
    exit 1
esac

exit 0
